The European Data Protection Board (the “EDPB”) recently adopted its Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (the “Guidelines”). The Guidelines aim to provide practical guidance with respect to Articles 40 and 41 of the EU General Data Protection Regulation (“GDPR”). In particular, the Guidelines intend to clarify the rules and procedures for the submission, approval and publication of codes of conduct.
Admissibility of a Draft Code
There are a number of conditions to be met before the competent Supervisory Authority (the “CompSA”) can assess and review a draft code of conduct. The draft code of conduct must, among other qualifications: (1) contain an explanatory statement and supporting documentation on the purpose and scope of the code of conduct, and how it will facilitate the application of the GDPR to the defined sector; (2) be submitted by a(n) (consortium of) association(s) or other bodies representing categories of data controllers or processors (the “code owner”); (3) clearly define the scope of the processing activities it covers, categories of data controllers or processors it governs and the territorial scope of the code; (4) identify the CompSA that will review the draft code; (5) include a mechanism to oversee the compliance of the code’s adherents to the provisions of the code; (6) identify a monitoring body, which is accredited by the CompSA, and mechanisms allowing compliance monitoring; and (7) contain information regarding the consultation carried out with the relevant stakeholders prior to adopting the code of conduct.
Criteria for Approving Codes of Conduct
Code owners must be able to demonstrate that their code contributes to the proper application of the GDPR, and in particular, that the code: (1) meets or addresses a particular need or data protection issues specific to the concerned sector or processing activity; (2) facilitates the application of the GDPR; (3) specifies the application of the GDPR by providing sufficiently clear and effective solutions to address particular data protection areas and issues in the specific sector to which the code applies; (4) provides suitable and effective safeguards to mitigate the risk to data processing and the rights and freedoms of individuals; and (5) provides effective mechanisms allowing appropriate monitoring of the rules (e.g., regular audits and reporting requirements, concrete sanctions and remedies in the case of a violation of the code) and identifies a monitoring body.
Submission, Admissibility and Approval Process
National Code. Upon submission of the draft code of conduct, the CompSA conducts the preliminary assessment. If the outcome of the preliminary assessment is positive, the CompSA further reviews its content and delivers an opinion, within a reasonable period of time, to either refuse the code of conduct or approve it. In the latter scenario, the CompSA must register and publish the code of conduct. In addition, the EDPB will make all approved codes publicly available.
Transnational Code. A transnational code relates to processing activities in more than one Member State. The draft code of conduct must be submitted to the CompSA that acts as the principal authority for the approval of the code. Upon submission, the CompSA proceeds with the preliminary assessment. The CompSA also notifies the concerned supervisory authorities (“SAs”) that a code was submitted and cooperates with them. If the outcome of the preliminary assessment is positive, the CompSA notifies the code owners and the concerned SAs of its decision and seeks (maximum two) co-reviewers. Co-reviewers assist the CompSA in assessing the draft code. The co-reviewers’ comments are taken into consideration by the CompSA when carrying out its assessment. The CompSA makes the final determination as to whether the draft code should be submitted to the EDPB. If the CompSA’s decision is to approve the draft code, the CompSA circulates the draft approval to all concerned SAs. Concerned SAs have 30 days to respond. The opinion of the EDPB is communicated to the CompSA and, on that basis, the CompSA assesses whether it will maintain or amend its draft decision. The EU Commission may decide via an implementing act that an approved transnational code of conduct will be valid within the EU.
In the Guidelines, the EDPB emphasizes that the assessment process must not be used to further consult on the provisions of the draft code with the CompSA. Code owners should liaise and cooperate with the SAs before submitting a code for approval. Code owners must also be available to answer questions in respect of their draft code within a reasonable period of time. To that end, a single point of contact should be provided to the CompSA.
Monitoring and Enforcement of the Code of Conduct
To be approved, a code of conduct must identify a monitoring body accredited by the CompSA as being able to monitor the code. CompSAs will submit their requirements for accreditation to the EDPB.
To be accredited, a monitoring body must, among other qualifications: (1) be independent; (2) exercise its tasks free of any conflict of interests; (3) have sufficient expertise to carry out its role in an effective manner; (4) have appropriate governance structures and procedures allowing it to assess the eligibility of controllers and processors to apply the code, monitor compliance with the code’s provisions and review the code’s operation; (5) establish effective complaints handling procedures; (6) communicate efficiently with the CompSA and other relevant SAs; and (7) adopt appropriate review mechanisms. The CompSA can revoke the accreditation at any time. Such revocation may suspend or permanently withdraw the code of conduct.
The Guidelines also include three Appendices regarding: (1) the distinction between national and transnational codes; (2) the criteria to take into account when choosing a CompSA; and (3) a checklist for submission of a draft code to the CompSA.